Lands data breach the Authority’s fault – Developers

Webee Ltd, the web developers responsible for the front-end of the Lands Authority website, have said in comments to The Sunday Times of Malta that they never wrote the business application code responsible for the massive data breach last Friday. The website is still down, nearly two full days later, while Infrastructure Minister Ian Borg has answered questions very sparingly.

The Lands Authority website last Friday leaked over 10 gigabytes of personal information including ID card details, emails, affidavits, and more. Thousands of Maltese people have had their information made accessible via Google search.

The Developers told the Times that after the website’s front-end design, “any further software development on either the website or the business application was not under Webee Ltd’s control and was designed by the Lands Authority’s internal software development team.”

Apart from the Lands Authority website, Webee Ltd have also worked on Identity Malta, the Marigold Foundation, and even the Labour Party’s website. It was also reported by murdered journalist Daphne Caruana Galizia that Webee was responsible for a fake Simon Busuttil campaign website. The Government also used Webee to promote its 2015 and 2016 budgets, and a €34,000 social media campaign to promote the current administration’s first four years in Government.

Screenshot recaptured at 8.45am

In a statement, the Authority said that “there does not appear to be any foreign, third-party or outside infiltration” which led to the leak. The statement also claimed that applicants who had their information leaked to the public were aware, upon submitting the information, that it would be open to “public inspection”.

Upon questioning by following the data breach, Infrastructure Minister Ian Borg replied, “Please note that we are informed that the Lands Authority has immediately taken the necessary steps to establish the facts about said matter. Details will be divulged in due course if and/or when appropriate in order not to allow such information to hinder the course of action being taken by the same authority.”

Lawyer Michael Zammit Maempel explained that it is now the Commissioner for Data Protection’s job to inform the affected. Meanwhile, the Commissioner’s officer gave further comments to the Times saying that “the Commissioner will take the necessary action in terms of his powers at law to ensure that the fundamental rights and freedoms of data subjects are safeguarded at all times.”